[netflow-tools] Softflowd IPFIX date and time problem.
Hitoshi Irino
irino at sfc.wide.ad.jp
Thu Aug 28 22:55:57 EST 2014
Hello Varun,
I tested on Ubuntu Linux 14.04.1 64bit version.
In my test environment, softflowd observed packets sent by nmap -sU(UDP
port scan). It works well. Exported IPFIX flow records include accurate
flow end time.
Could you teach me your environment?
Regards,
Hitoshi
On 2014/08/28 14:22, Varun Sharma wrote:
> Hi ,
>
> I am using Softflowd IPFIX supported version ( Revision : 80aac3b2fec3
> ) downloaded from google code. I export flows in IPFIX format to
> collector server ( NFDUMP 1.6.10 ) . I am seeing issue with date and
> time field when I am reading nfdump logs .
>
> Whereas In case of Netflow v5 and v9 it is working fine means proper
> date and time comes in nfdump logs.
>
> Command run :
>
> softflowd -i eth3 -n 192.168.50.2:9995 -v 10 -d -t maxlife=30 -D -A milli
>
> nfdump log :
>
> $ nfdump -r nfcapd.201408280909
>
> Date first seen Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Packets Bytes Flows
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
> 192.168.50.1:43241 -> 192.168.50.2:5001 .AP.SF 0 17405
> 823.5 M 1
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
> 192.168.50.2:5001 -> 192.168.50.1:43241 .A..SF 0 15470
> 711626 1
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
> 192.168.50.1:43242 -> 192.168.50.2:5001 .AP.SF 0 20138
> 928.1 M 1
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
> 192.168.50.2:5001 -> 192.168.50.1:43242 .A..SF 0 20814
> 957450 1
>
> 2005-04-02 04:35:37.967 1970-01-01 05:30:00.000 3182570558.033 TCP
> 192.168.50.1:43243 -> 192.168.50.2:5001 .AP.SF 0 20031
> 925.8 M 1
>
> .......
>
> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
> 192.168.50.1:43257 -> 192.168.50.2:5001 .AP.SF 0 7235
> 348.3 M 1
>
> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
> 192.168.50.2:5001 -> 192.168.50.1:43257 .A..SF 0 10138
> 466354 1
>
> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
> 192.168.50.1:43258 -> 192.168.50.2:5001 .AP.SF 0 13164
> 610.1 M 1
>
> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
> 192.168.50.2:5001 -> 192.168.50.1:43258 .A..SF 0 15663
> 720504 1
> .......
>
> 2016-01-02 07:16:04.432 1970-01-01 05:30:00.000 2843268131.568 TCP
> 192.168.50.2:5001 -> 192.168.50.1:43268 .A..SF 0 18639
> 857400 1
>
> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
> 192.168.50.1:43269 -> 192.168.50.2:5001 .AP.SF 0 28301
> 1.3 G 1
>
> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
> 192.168.50.2:5001 -> 192.168.50.1:43269 .A..SF 0 34656
> 1.6 M 1
>
> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
> 192.168.50.1:43270 -> 192.168.50.2:5001 .AP.SF 0 29209
> 1.3 G 1
>
>
> ....
>
> Summary: total flows: 162, total bytes: 59.4 G, total packets: 2.6 M,
> avg bps: 0, avg pps: 0, avg bpp: 0
> Time window: 2014-08-28 09:09:31 - 2014-08-28 09:14:31
> Total flows processed: 162, Blocks skipped: 0, Bytes read: 9832
> Sys: 0.005s flows/second: 27009.0 Wall: 0.005s flows/second: 30291.7
>
>
> I also used sec with –A option but in that case also same problem
> persist. I attached tcpdump pcap file also. Pls find attachment.
>
> Can anybody know why it’s happening ?
>
>
> Regards
> Varun
>
>
>
> _______________________________________________
> netflow-tools mailing list
> netflow-tools at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>
More information about the netflow-tools
mailing list